From c6991dfd5fb17326885567501d4ca4f532736aa1 Mon Sep 17 00:00:00 2001
From: Yuval Yacoby <33892515+yuvalyacoby@users.noreply.github.com>
Date: Sun, 15 Oct 2023 19:14:24 +0300
Subject: [PATCH] Helm use external certificates (#4913)

---
 k8s/charts/seaweedfs/templates/ca-cert.yaml            | 2 +-
 k8s/charts/seaweedfs/templates/cert-caissuer.yaml      | 2 +-
 k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml | 2 +-
 k8s/charts/seaweedfs/templates/client-cert.yaml        | 2 +-
 k8s/charts/seaweedfs/templates/filer-cert.yaml         | 2 +-
 k8s/charts/seaweedfs/templates/master-cert.yaml        | 2 +-
 k8s/charts/seaweedfs/templates/volume-cert.yaml        | 2 +-
 k8s/charts/seaweedfs/values.yaml                       | 5 +++++
 8 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/k8s/charts/seaweedfs/templates/ca-cert.yaml b/k8s/charts/seaweedfs/templates/ca-cert.yaml
index c1d432d31..fc002aebe 100644
--- a/k8s/charts/seaweedfs/templates/ca-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/ca-cert.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
diff --git a/k8s/charts/seaweedfs/templates/cert-caissuer.yaml b/k8s/charts/seaweedfs/templates/cert-caissuer.yaml
index 4c2693043..72de126e1 100644
--- a/k8s/charts/seaweedfs/templates/cert-caissuer.yaml
+++ b/k8s/charts/seaweedfs/templates/cert-caissuer.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Issuer
 metadata:
diff --git a/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml b/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
index c46aa4756..42e080fd6 100644
--- a/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
+++ b/k8s/charts/seaweedfs/templates/cert-clusterissuer.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: ClusterIssuer
 metadata:
diff --git a/k8s/charts/seaweedfs/templates/client-cert.yaml b/k8s/charts/seaweedfs/templates/client-cert.yaml
index 5904a00b6..bda132a02 100644
--- a/k8s/charts/seaweedfs/templates/client-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/client-cert.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
diff --git a/k8s/charts/seaweedfs/templates/filer-cert.yaml b/k8s/charts/seaweedfs/templates/filer-cert.yaml
index 8b5dbe257..c17815af2 100644
--- a/k8s/charts/seaweedfs/templates/filer-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/filer-cert.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
diff --git a/k8s/charts/seaweedfs/templates/master-cert.yaml b/k8s/charts/seaweedfs/templates/master-cert.yaml
index bb935eedb..47dcaacd3 100644
--- a/k8s/charts/seaweedfs/templates/master-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/master-cert.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
diff --git a/k8s/charts/seaweedfs/templates/volume-cert.yaml b/k8s/charts/seaweedfs/templates/volume-cert.yaml
index c6b333f7c..4df63db2c 100644
--- a/k8s/charts/seaweedfs/templates/volume-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/volume-cert.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.global.enableSecurity }}
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
 apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
 kind: Certificate
 metadata:
diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml
index 9e12a6e05..a83ceac46 100644
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -640,3 +640,8 @@ certificates:
   keySize: 2048
   duration: 2160h  # 90d
   renewBefore: 360h  # 15d
+  externalCertificates:
+    # This will avoid the need to use cert-manager and will rely on providing your own external certificates and CA
+    # you will need to store your provided certificates in the secret read by the different services:
+    # seaweedfs-master-cert, seaweedfs-filer-cert, etc. Can see any statefulset definition to see secret names
+    enabled: false